[Kernel-packages] [Bug 1996071] Comment bridged from LTC Bugzilla

[bugproxy]

--- Comment From boris.m...@de.ibm.com 2023-01-15 11:13 EDT---
Fix is now available in focal, jammy and kinetic, therefore we can close this 
bug.
Thanks everyone for your work!

==> Changing the status to: CLOSED

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1996071

Title:
  [UBUNTU 20.04] boot: Add s390x secure boot trailer

Status in Ubuntu on IBM z Systems:
  Fix Released
Status in linux package in Ubuntu:
  Invalid
Status in linux source package in Focal:
  Fix Released
Status in linux source package in Jammy:
  Fix Released
Status in linux source package in Kinetic:
  Fix Released

Bug description:
  SRU Justification:
  ==

  [Impact]

   * Secure boot of Linux on s390x will no longer be possible
     with an upcoming IBM zSystems firmware update.

  [Fix]

   * aa127a069ef3 aa127a069ef312aca02b730d5137e1778d0c3ba7 "s390/boot: add 
secure boot trailer"
     for kinetic and jammy

   * 
https://launchpadlibrarian.net/633020900/0001-s390-boot-add-secure-boot-trailer.patch
     backport for focal

  [Test Plan]

   * An IBM z15 or LinuxONE III LPAR with zFCP/SCSI disk storage is
  required.

   * Ensure that 'Enable Secure Boot for Linux' is marked in case
     'SCSI Load' is selected at the HMCs Load task and Activation Profile.

   * Perform an Ubuntu Server installation, either 20.04 or 22.04
     (latest ISO).
     It will be a secure boot installation by default in case
     'Enable Secure Boot for Linux' was marked.

   * Check sysfs:
     /sys/firmware/ipl/has_secure
    '1' indicates hw support for secure boot, otherwise '0'
     /sys/firmware/ipl/secure
    '1' indicates that secure IPL was successful, otherwise '0'

   * Navigate to the HMC task 'System information'
     and check the active firmware release.

   * Ensure that Ubuntu is still bootable in secure-boot mode
     with the updated firmware active,
     by for example doing a reboot after the firmware upgrade.

   * There is also a way to test the trailer on systems that do not
 have the updated firmware yet - in this case use the following script:
 https://launchpadlibrarian.net/633126861/check_sb_trailer.sh

  [Where problems could occur]

   * The 'trailer' might be broken, invalid or in a wrong format
     and can't be identified or read properly,
     or may cause issues while compressing/decompressing the kernel.

   * In worst case secure boot might become broken,
     even on systems that are still on the unpatched firmware level.

   * Or secure boot will become broken in general.

  [Other Info]

   * The above commit was upstream accepted with v6.1-rc3.

   * And it got tagged for upstream stable with:
     "Cc:  # 5.2+"

   * But since this bug is marked as critical, and the patch is relatively
     short, traceable and s390x-specific, I'll go ahead and submit this
     patch for Jammy and Focal ahead of upstream stable.

   * Since on focal file 'vmlinux.lds.S' is at a different location
     'arch/s390/boot/compressed/' instead of 'arch/s390/boot/'
     and the context is slightly different, the backport is needed.

   * It's planned to have kernel 6.2 in lunar (23.04), hence it will have
     the patch incl. when at the planned target level.

  __

  Description:   boot: Add secure boot trailer
  Symptom:   Secure boot of Linux will no longer be possible with an 
upcoming
     IBM Z firmware update.

  Problem:   New IBM Z firmware requires signed bootable images to contain a
     trailing data block with a specific format.

  Solution:  Add the trailing data block to the Linux kernel image.

  Reproduction:  Apply latest firmware, perform IPL with Secure Boot
  enabled.

  Fix:   available upstream with
  Upstream-ID:   aa127a069ef312aca02b730d5137e1778d0c3ba7

  Preventive:yes

  Date:  2022-10-27
  Author:Peter Oberparleiter 
  Component: kernel

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1996071/+subscriptions


-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1996071] Comment bridged from LTC Bugzilla

[bugproxy]

This bug was not opened against linux-xilinx-zynqmp and the s390-tools
package is not relevant for this.

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1996071

Title:
  [UBUNTU 20.04] boot: Add s390x secure boot trailer

Status in Ubuntu on IBM z Systems:
  Fix Committed
Status in linux package in Ubuntu:
  Invalid
Status in linux source package in Focal:
  Fix Released
Status in linux source package in Jammy:
  Fix Released
Status in linux source package in Kinetic:
  Fix Released

Bug description:
  SRU Justification:
  ==

  [Impact]

   * Secure boot of Linux on s390x will no longer be possible
     with an upcoming IBM zSystems firmware update.

  [Fix]

   * aa127a069ef3 aa127a069ef312aca02b730d5137e1778d0c3ba7 "s390/boot: add 
secure boot trailer"
     for kinetic and jammy

   * 
https://launchpadlibrarian.net/633020900/0001-s390-boot-add-secure-boot-trailer.patch
     backport for focal

  [Test Plan]

   * An IBM z15 or LinuxONE III LPAR with zFCP/SCSI disk storage is
  required.

   * Ensure that 'Enable Secure Boot for Linux' is marked in case
     'SCSI Load' is selected at the HMCs Load task and Activation Profile.

   * Perform an Ubuntu Server installation, either 20.04 or 22.04
     (latest ISO).
     It will be a secure boot installation by default in case
     'Enable Secure Boot for Linux' was marked.

   * Check sysfs:
     /sys/firmware/ipl/has_secure
    '1' indicates hw support for secure boot, otherwise '0'
     /sys/firmware/ipl/secure
    '1' indicates that secure IPL was successful, otherwise '0'

   * Navigate to the HMC task 'System information'
     and check the active firmware release.

   * Ensure that Ubuntu is still bootable in secure-boot mode
     with the updated firmware active,
     by for example doing a reboot after the firmware upgrade.

   * There is also a way to test the trailer on systems that do not
 have the updated firmware yet - in this case use the following script:
 https://launchpadlibrarian.net/633126861/check_sb_trailer.sh

  [Where problems could occur]

   * The 'trailer' might be broken, invalid or in a wrong format
     and can't be identified or read properly,
     or may cause issues while compressing/decompressing the kernel.

   * In worst case secure boot might become broken,
     even on systems that are still on the unpatched firmware level.

   * Or secure boot will become broken in general.

  [Other Info]

   * The above commit was upstream accepted with v6.1-rc3.

   * And it got tagged for upstream stable with:
     "Cc:  # 5.2+"

   * But since this bug is marked as critical, and the patch is relatively
     short, traceable and s390x-specific, I'll go ahead and submit this
     patch for Jammy and Focal ahead of upstream stable.

   * Since on focal file 'vmlinux.lds.S' is at a different location
     'arch/s390/boot/compressed/' instead of 'arch/s390/boot/'
     and the context is slightly different, the backport is needed.

   * It's planned to have kernel 6.2 in lunar (23.04), hence it will have
     the patch incl. when at the planned target level.

  __

  Description:   boot: Add secure boot trailer
  Symptom:   Secure boot of Linux will no longer be possible with an 
upcoming
     IBM Z firmware update.

  Problem:   New IBM Z firmware requires signed bootable images to contain a
     trailing data block with a specific format.

  Solution:  Add the trailing data block to the Linux kernel image.

  Reproduction:  Apply latest firmware, perform IPL with Secure Boot
  enabled.

  Fix:   available upstream with
  Upstream-ID:   aa127a069ef312aca02b730d5137e1778d0c3ba7

  Preventive:yes

  Date:  2022-10-27
  Author:Peter Oberparleiter 
  Component: kernel

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1996071/+subscriptions


-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1996071] Comment bridged from LTC Bugzilla

[bugproxy]

--- Comment From peter.oberparlei...@de.ibm.com 2022-11-11 03:49 EDT---
(In reply to comment #12)
> Created attachment 156118 [details]
> 0001-s390-boot-add-secure-boot-trailer.patch

I verified that this patch correctly adds the required secure boot
trailer for v5.4 kernels.

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1996071

Title:
  [UBUNTU 20.04] boot: Add s390x secure boot trailer

Status in Ubuntu on IBM z Systems:
  In Progress
Status in linux package in Ubuntu:
  Invalid
Status in linux source package in Focal:
  In Progress
Status in linux source package in Jammy:
  In Progress
Status in linux source package in Kinetic:
  In Progress

Bug description:
  SRU Justification:
  ==

  [Impact]

   * Secure boot of Linux on s390x will no longer be possible
     with an upcoming IBM zSystems firmware update.

  [Fix]

   * aa127a069ef3 aa127a069ef312aca02b730d5137e1778d0c3ba7 "s390/boot: add 
secure boot trailer"
     for kinetic and jammy

   * 
https://launchpadlibrarian.net/633020900/0001-s390-boot-add-secure-boot-trailer.patch
     backport for focal

  [Test Plan]

   * An IBM z15 or LinuxONE III LPAR with zFCP/SCSI disk storage is
  required.

   * Ensure that 'Enable Secure Boot for Linux' is marked in case
     'SCSI Load' is selected at the HMCs Load task and Activation Profile.

   * Perform an Ubuntu Server installation, either 20.04 or 22.04
     (latest ISO).
     It will be a secure boot installation by default in case
     'Enable Secure Boot for Linux' was marked.

   * Check sysfs:
     /sys/firmware/ipl/has_secure
    '1' indicates hw support for secure boot, otherwise '0'
     /sys/firmware/ipl/secure
    '1' indicates that secure IPL was successful, otherwise '0'

   * Navigate to the HMC task 'System information'
     and check the active firmware release.

   * Ensure that Ubuntu is still bootable in secure-boot mode
     with the updated firmware active,
     by for example doing a reboot after the firmware upgrade.

   * There is also a way to test the trailer on systems that do not
 have the updated firmware yet - in this case use the following script:
 https://launchpadlibrarian.net/633126861/check_sb_trailer.sh

  [Where problems could occur]

   * The 'trailer' might be broken, invalid or in a wrong format
     and can't be identified or read properly,
     or may cause issues while compressing/decompressing the kernel.

   * In worst case secure boot might become broken,
     even on systems that are still on the unpatched firmware level.

   * Or secure boot will become broken in general.

  [Other Info]

   * The above commit was upstream accepted with v6.1-rc3.

   * And it got tagged for upstream stable with:
     "Cc:  # 5.2+"

   * But since this bug is marked as critical, and the patch is relatively
     short, traceable and s390x-specific, I'll go ahead and submit this
     patch for Jammy and Focal ahead of upstream stable.

   * Since on focal file 'vmlinux.lds.S' is at a different location
     'arch/s390/boot/compressed/' instead of 'arch/s390/boot/'
     and the context is slightly different, the backport is needed.

   * It's planned to have kernel 6.2 in lunar (23.04), hence it will have
     the patch incl. when at the planned target level.

  __

  Description:   boot: Add secure boot trailer
  Symptom:   Secure boot of Linux will no longer be possible with an 
upcoming
     IBM Z firmware update.

  Problem:   New IBM Z firmware requires signed bootable images to contain a
     trailing data block with a specific format.

  Solution:  Add the trailing data block to the Linux kernel image.

  Reproduction:  Apply latest firmware, perform IPL with Secure Boot
  enabled.

  Fix:   available upstream with
  Upstream-ID:   aa127a069ef312aca02b730d5137e1778d0c3ba7

  Preventive:yes

  Date:  2022-10-27
  Author:Peter Oberparleiter 
  Component: kernel

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1996071/+subscriptions


-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1996071] Comment bridged from LTC Bugzilla

[bugproxy]

--- Comment From peter.oberparlei...@de.ibm.com 2022-11-10 10:24 EDT---
(In reply to comment #8)
> In the focal master-next tree file 'vmlinux.lds.S' is at a different
> location: 'arch/s390/boot/compressed/' instead of 'arch/s390/boot/'
> and the context is also slightly different.
>
> Would you please have a look at the attached backport for focal and confirm
> that it's correct?
> Since it has this add. block:
> "
> . = ALIGN(256);
> .bss : {
> _bss = . ;
> *(.bss)
> *(.bss.*)
> *(COMMON)
> . = ALIGN(8); /* For convenience during zeroing */
> _ebss = .;
> }
> "

The sb_trailer block needs to move to before the .bss definition, and
replaces the ALIGN(256) line. Otherwise kernel image sizes will be
unnecessarily increased by the size of the discarded bss section. It
should look something like this:

_compressed_start = .;
*(.vmlinux.bin.compressed)
_compressed_end = .;
-   FILL(0xff);
-   . = ALIGN(4096);
}
-   . = ALIGN(256);
+
+#define SB_TRAILER_SIZE 32
+   /* Trailer needed for Secure Boot */
+   . += SB_TRAILER_SIZE; /* make sure .sb.trailer does not overwrite the 
previous section */
+   . = ALIGN(4096) - SB_TRAILER_SIZE;
+   .sb.trailer : {
+   QUAD(0)
+   QUAD(0)
+   QUAD(0)
+   QUAD(0x00207a49504c)
+   }
+
.bss : {
_bss = . ;
*(.bss)

> Looks like we commented in parallel.
> Yes, backport will be helpful.

Ok, will try to work on that.

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1996071

Title:
  [UBUNTU 20.04] boot: Add secure boot trailer

Status in Ubuntu on IBM z Systems:
  New
Status in linux package in Ubuntu:
  Invalid
Status in linux source package in Focal:
  New
Status in linux source package in Jammy:
  New
Status in linux source package in Kinetic:
  New

Bug description:
  Description:   boot: Add secure boot trailer
  Symptom:   Secure boot of Linux will no longer be possible with an 
upcoming
 IBM Z firmware update.

  Problem:   New IBM Z firmware requires signed bootable images to contain a
 trailing data block with a specific format.

  Solution:  Add the trailing data block to the Linux kernel image.

  Reproduction:  Apply latest firmware, perform IPL with Secure Boot
  enabled.

  Fix:   available upstream with
  Upstream-ID:   aa127a069ef312aca02b730d5137e1778d0c3ba7

  Preventive:yes

  Date:  2022-10-27
  Author:Peter Oberparleiter 
  Component: kernel

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1996071/+subscriptions


-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1996071] Comment bridged from LTC Bugzilla

[bugproxy]

--- Comment From peter.oberparlei...@de.ibm.com 2022-11-10 08:55 EDT---
(In reply to comment #6)
> So commit aa127a069ef312aca02b730d5137e1778d0c3ba7 "s390/boot: add secure
> boot trailer" was just upstream accepted with v6.1-rc3.
> And it got tagged for upstream stable with:
> "Cc:  # 5.2+"
> That means that it will ideally automatically land over time in all Ubuntu
> kernels, down to focal's 5.4.

Unfortunately the automated stable backport to v5.4, v5.10, and v5.14
failed because the source file that is modified by this patch was moved
around:

https://lore.kernel.org/stable/166719900013...@kroah.com/

> But since this bug is marked as critical, the patch is relatively short,
> traceable and s390x-specific, I'll go ahead and submit this patch for Jammy
> and Focal ahead of upstream stable.

In addition to the work you plan, I could provide an adjusted stable
backport for the upstream targets for which automatic backport failed.
Would this help get this patch into any more Ubuntu versions?

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1996071

Title:
  [UBUNTU 20.04] boot: Add secure boot trailer

Status in Ubuntu on IBM z Systems:
  New
Status in linux package in Ubuntu:
  Invalid
Status in linux source package in Focal:
  New
Status in linux source package in Jammy:
  New
Status in linux source package in Kinetic:
  New

Bug description:
  Description:   boot: Add secure boot trailer
  Symptom:   Secure boot of Linux will no longer be possible with an 
upcoming
 IBM Z firmware update.

  Problem:   New IBM Z firmware requires signed bootable images to contain a
 trailing data block with a specific format.

  Solution:  Add the trailing data block to the Linux kernel image.

  Reproduction:  Apply latest firmware, perform IPL with Secure Boot
  enabled.

  Fix:   available upstream with
  Upstream-ID:   aa127a069ef312aca02b730d5137e1778d0c3ba7

  Preventive:yes

  Date:  2022-10-27
  Author:Peter Oberparleiter 
  Component: kernel

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1996071/+subscriptions


-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp